1Password - memory attack affect macOS version?

snowysnowy
edited February 28 in Mac

https://www.securityevaluators.com/casestudies/password-manager-hacking/

recent security bulletin in regards to password managers (LastPass, 1p, keepass). This is specific to windows, but curious could this issue extend to the macOS version? In this case passwords (including master passwords) that are being saved in memory as cleartext.


1Password Version: 7.2.5
Extension Version: Not Provided
OS Version: 10.14.2
Sync Type: Not Provided

Comments

  • BenBen AWS Team

    Team Member

    Hi @snowy,

    The researcher in this case only evaluated Windows applications, but yes, to a limited extent, this applies to all consumer platforms.

    From our Chief Defender Against the Dark Arts, Jeff Goldberg (here):

    in principle we have the same issue on Mac, but in practice these things play out differently. It appears that these do get cleared from memory faster on the Mac. Some of this can be attributed specific design, some to automatic reference counting versus garbage collection, and some operating system environment.

    We were more concerned about this on Mac when DMA attacks were a thing. But fortunately that environment made it easier to make progress on this. But some of the fundamental issues remain. We need to use Apple’s SecureInput for Master Password input, which is an immutable string [...]

    I have since been informed that SecureInput on Apple devices does everything we want. Sure it gives us an immutable string, but it is actually zeroed in memory as soon as it is freed, and it is written a page in memory that is never written to swap.

    Note: Jeff wasn't entirely explicit here, but we do use SecureInput... both for the Master Password and when editing items in 1Password for Mac.

    Also, considering the fact that this attack requires that the computer already be compromised (e.g. infected with malware), and malware is much less common on Mac than on Windows, that even further reduces the general level of concern on that platform.

    I hope that helps. Should you have any other questions or concerns, please feel free to ask.

    Ben

  • BenBen AWS Team

    Team Member

    It is also worth pointing to this post from a customer on the subject.

    Ben

  • awesome thanks for the quick response! I had feeling mac had less of an issue with this. mainly because of the new advancements from SIP, enchanced runtime, secure input etc...nice to know you make use of those :)

  • BenBen AWS Team

    Team Member
    edited February 28

    You're very welcome. :)

    I'm going to close this thread, as the question has been answered, but if there are other concerns regarding this topic that aren't addressed in our knowledge base article please feel free to reach out to our security team at [email protected]. Thanks!

    Managing 1Password secrets in memory

    Ben

This discussion has been closed.